That's the problem, I don't think it was a legitimate call. I scanned every single file in /var/www and I don't see presence on uptime call anywhere. I afraid it was a probe to see if the system can be compromised. I scanned file system for inode 2474106 - it's gone, neither ppid=18807 nor pid=18808 are running, so I am not even sure where else to look. Sincerely yours, Vadym Chepkov --- On Thu, 10/1/09, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > From: Daniel J Walsh <dwalsh@xxxxxxxxxx> > Subject: Re: Strange AVC > To: fedora-selinux-list@xxxxxxxxxx > Date: Thursday, October 1, 2009, 10:06 AM > On 10/01/2009 05:51 AM, Dominick > Grift wrote: > > On Wed, Sep 30, 2009 at 05:21:56PM -0700, Vadym > Chepkov wrote: > >> Hi, > >> > >> I am puzzled, what could have caused this kind of > AVC: > >> > >> type=SYSCALL msg=audit(1254270789.862:74347): > arch=c000003e syscall=2 success=no exit=-13 a0=7f2929f52532 > a1=0 a2=d a3=7fff325c4270 items=0 ppid=18807 pid=18808 > auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > sgid=48 fsgid=48 tty=(none) comm="uptime" > exe="/usr/bin/uptime" subj=user_u:system_r:httpd_t:s0 > key=(null) > >> type=AVC msg=audit(1254270789.862:74347): > avc: denied { read } for pid=18808 > comm="uptime" name="utmp" dev=sda1 ino=2474106 > scontext=user_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file > > > > Well uptime runs in the httpd_t domain and the httpd > domain (uptime) tried to read /var/run/utmp file. > /var/run/utmp has a object type that is owned by init > scripts for object in /var/run. > > > > you can and should check first to see whether the > types are correct: should "uptime" in this scenario run in > the httpd_t domain (is it called from a webapp (non-cgi) > also is the target object labelled properly (matchpathcon > /var/run/utmp) > > > > Once that is established you can verify whether > httpd_t should be able to access the target type: > > > > sesearch --allow -s httpd_t -t initrc_var_run_t > -c file -p read > > > > With this information you are going to have to make > your security decision. > > > > should you allow it or deny it? > > > > I can tell you that in my configuration /var/run/utmp > also has type initrc_var_run_t. So i guess that is what it > should be. > > > > What i cannot tell you is why and how uptime is > executed in this scenario. > > All i know is that it runs in the httpd_t domain. > >> > >> > >> Sincerely yours, > >> Vadym Chepkov > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list@xxxxxxxxxx > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list@xxxxxxxxxx > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > You would need to add policy to be able to do this. > Apache being able to read utmp could allow a hacker to > figure out all the user names that have logged onto a > system. It is denied by default. > > You can easily add custom policy using audit2allow. > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list